I'm working with some json data that contains 1 field with a list of keys and 1 field with a list of values. These pairs may change event to event, but item 1 in field 1 will always align with item 1 in field 2. So I'd like to join these together so that I get a field name of field1_value1 with the data of field2_value1. A sample of where I am right now in this: | makeresults count=1 | eval event.key="email,user,event_id,state" | eval event.values="user@acme.corp,Jon Smith,1234,Open" | makemv delim="," event.key | makemv delim="," event.values |eval keyjoin=mvzip('event.key','event.values') | mvexpand keyjoin So this will properly join the data into the field keyjoin, but now I have to take out the first value in it to be the field name and the second to be the field value. Any advice? Edit: The desired end state would be the ability to add further search criteria after formatting the data. This is going to drive several panels, so obviously more than that, but if I can get to that stats, then I can go from there. Just need to solve for MISSING SPL HERE | makeresults count=1 | eval event.key="email,user,event_id,state" | eval event.values="user@acme.corp,Jon Smith,1234,Open" | makemv delim="," event.key | makemv delim="," event.values |eval keyjoin=mvzip('event.key','event.values') | mvexpand keyjoin | **MISSING SPL HERE** | stats count by state, user ... View more

I'm trying to build a dashboard where an analyst can have a single text input and have a dropdown for the data type and pass the combined information to the search. Unfortunately, it's not working. Token Logic: User inputs 127.0.0.1 into $token1$. Then selects "IP" label in the dropdown, which contains the logic (src=$token1$ OR dest=$token1$) and is labeled $token2$. Search, for now, is simply index=firewalls $token2$. Problem Description: What we expect to land in the panel is "index=firewalls (src=127.0.0.1 OR dest=127.0.0.1). What we are seeing, when "open in search" is utilized, is "index=firewalls (src=$token1$ OR dest=$token1$)". When we get the logic for the inputs right we plan on converting this to a datamodel search, but for now we just need to figure out how to pass information inputted into one input to another. Reason why we're building this: This is a version1 just to get analysts going and be able to modularize a lot of their workflow that is currently a bunch of hand jamming searches every time they want to do something, so we get searches that are just an IP over all time. We're building this into ES to start to move analysts over to that, but this is the short term need, as they view IP lookup as "difficult". Edit: SimpleXML of dashboard attached <form> <label>Test Searching</label> <fieldset submitButton="true" autoRun="false"> <input type="text" token="token1" searchWhenChanged="true"> <label>IOC for Search</label> </input> <input type="dropdown" token="token2"> <label>Field to Search</label> <choice value="&quot;$token1$&quot;">IP</choice> </input> </fieldset> <row> <panel> <event> <title>Search Events</title> <search> <query>index="firewalls" $token2$</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="list.drilldown">none</option> </event> </panel> </row> </form> ... View more

So I'm trying to build an asset table, and update fields based on select criteria. What I'm getting stuck on is I want nothing to happen if there isn't a match, but I want an action if there is a match. For example, I have a table as follows: asset_lookup: fields: ip,dns,bunit, category,priority I have another that is as follows: hva_asset_lookup: fields: host, system_group So the asset_lookup, when generated, sets the priority to "medium". I want to override that if there is a match on the hva_asset_lookup, so I do the following search: | inputlookup asset_lookup | lookup hva_assets host AS ip OUTPUT system_group | eval priority=if(isnull(FISMA_system_name),"medium","critical") This works, but I'd rather get rid of the "null" action so that I could chain together the logic and continue to change the priority without overriding the prior settings. For example, if I follow that up with this: | eval priority=case(bunit="hq","high") Everything that doesn't match is overridden to null. And if I do it prior to the if(isnull()) eval, then the high is overridden. So, how do I override a field only if my eval matches, and to not touch is otherwise? ... View more

So I understand that the minimum timespan on a hot bucket is 1 hour, but bucket sizing defaults to a file size instead of a timespan. It is also warned that setting bucket sizes too small will yield "too many buckets". It seems that the implicit guidance is for larger bucket sizes and fewer of them. However, this seems counter intuitive as having lots of small buckets would seem to imply less searching would be required. Am I missing something? What is the disadvantage of having lots of small buckets and rotating them frequently besides file count? Do you lose compression, do the tsidx files go crazy and eat all the disk, what actually happens? Has anyone gone against the grain and implemented small bucketing with fast rotation? ... View more